[quote user="bfluet"]

Following up to report my experience with adding Sanesecurity signatures including the Foxhole signatures.  They dramatically increase the number of quarantined message but a significant percentage of them have already been tagged as Spam by my domain host so would have been detected by existing spam filters.  I am still receiving messages containing a .scr file inside of an attached .zip so my original problem remains.  Some of these messages appear to come from a financial institution and are genuine looking enough that I hesitate to tell POPFile they are spam for fear of increasing the possibility of false positives.  I have considered creating a ZIP user and diverting all messages containing .zip attachments to it so I could review them messages before forwarding to the intended user but this does not seem very practical and would certainly cause delays. 

I remain open to new suggestions.

[/quote]

If you have executables inside zip files which are being missed by foxhole_all then please report them as errors to the relevant address found in Sanesecurity.

Is there a way to detect .scr files in .zip attachments?.  The .zip attachment scans clean with both Viper and ClamAV yet if you forward one of these messages to a Gmail address it gets blocked.  I assume Gmail is detecting the .scr file inside the archive and I would love to be able to do the same with Mercury.

[quote user="bfluet"]

Is there a way to detect .scr files in .zip attachments?.  The .zip attachment scans clean with both Viper and ClamAV yet if you forward one of these messages to a Gmail address it gets blocked.  I assume Gmail is detecting the .scr file inside the archive and I would love to be able to do the same with Mercury.[/quote]

Are you using Sanesecurity with Clamav?  If so you should include the Foxhole signatures.  For me they catch about 4 a day of .exe and .scr inside compressed files.

An alternative was described as a policy here last year: http://community.pmail.com/forums/thread/39442.aspx , although it needs a bit of tweaking and may be more prone to false positives.

I have not been using the Sanesecurity signatures but have tracked down instructions or implementing them (using ClamSup & rsynch) and that looks easy enough.  What I have been unable to figure out is how to include the Foxhole signatures.  Someone please point me in the right direction.

[quote user="bfluet"]

Is there a way to detect .scr files in .zip attachments?.  The .zip attachment scans clean with both Viper and ClamAV yet if you forward one of these messages to a Gmail address it gets blocked.  I assume Gmail is detecting the .scr file inside the archive and I would love to be able to do the same with Mercury.

[quote user="bfluet"]I have not been using the Sanesecurity signatures but have tracked down instructions or implementing them (using ClamSup & rsynch) and that looks easy enough.  What I have been unable to figure out is how to include the Foxhole signatures.  Someone please point me in the right direction.
[/quote]

Remove the "-" chars from the start of the 3 lines relating to Foxhole signatures in the downloaded Clamsup.ini.  (The detail of the format is in the comments at the start of the file.)

[quote user="Sellerie"]Are you using ClamWall as 3rd party addon for Mercury? I am using this to ban file extensions...
[/quote]

Doesn't this only ban the top level extension?  If you want to ban all ZIP files then it is great, but if you need to ban only executables (exe, scr and others) compressed inside ZIP files, then you need a more sophisticated solution.

[quote user="PaulW"]

Doesn't this only ban the top level extension?  If you want to ban all ZIP files then it is great, but if you need to ban only executables (exe, scr and others) compressed inside ZIP files, then you need a more sophisticated solution.

[/quote]I got many mails with ZIP attachments and inside PDFs or executables. Those emails were deleted completely by ClamWall.

[quote user="Sellerie"]I got many mails with ZIP attachments and inside PDFs or executables. Those emails were deleted completely by ClamWall.
[/quote]

What does your "Attachment ban" list contain?

I've just sent myself an *.TTT file zipped up after adding TTT into my ban list and it didn't stop it.  When I put ZIP in the ban list and re-sent the message then it was caught as expected.

The Original Poster in the subject to this thread is asking for a method to "Detect .scr files in .zip attachments" rather than just blocking all ZIP attachments.

[quote user="PaulW"]Remove the "-" chars from the start of the 3 lines relating to Foxhole signatures in the downloaded Clamsup.ini.  (The detail of the format is in the comments at the start of the file.) [/quote]

Thanks for pointing me where to look.  The clamsup.ini I have did not include any Foxhole signatures. I was successful in adding them manually.

I use Clamwall and my experience is the same as PaulW.  Banned extensions inside an archive file come through.

Following up to report my experience with adding Sanesecurity signatures including the Foxhole signatures.  They dramatically increase the number of quarantined message but a significant percentage of them have already been tagged as Spam by my domain host so would have been detected by existing spam filters.  I am still receiving messages containing a .scr file inside of an attached .zip so my original problem remains.  Some of these messages appear to come from a financial institution and are genuine looking enough that I hesitate to tell POPFile they are spam for fear of increasing the possibility of false positives.  I have considered creating a ZIP user and diverting all messages containing .zip attachments to it so I could review them messages before forwarding to the intended user but this does not seem very practical and would certainly cause delays. 

I remain open to new suggestions.